Vulnerability Note VU#134025

kernel-utils sets insecure permissions on "uml_net" utility

Overview

The uml_net utility, part of the kernel-utils package in Red Hat Linux 8.0, was shipped with incorrect permissions.

Description

User-Mode Linux (UML) is a tool to provide a virtual machine in which to run another copy of Linux. In Red Hat linux 8.0, the kernel-utils package contains the UML utilities. One of the UML utilities, uml_net, was incorrectly shipped setuid root.

Impact

Local users could control network interfaces, put interfaces into promiscuous mode, and add and remove arp entries and routes.

Solution

Apply a patch as described in the Red Hat bulletin. If a patch cannot be applied, you can remove the suid bit from the uml_net package with the following command: